© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Attackers use a 20-year-old trick for phishing Microsoft 365 users


Malicious hackers have dusted off the old Right-to-Left Override (RLO) technique to disguise malicious files and harvest credentials. Email security company Vade has observed an uptick in RLO attacks.

Vade's Threat Intelligence and Response Center detected more than 400 RLO spoofing campaigns in the last two weeks.

RLO is a non-printing Unicode character [U+202e] mainly used to support Hebrew and Arabic languages. This character flips and changes all subsequent text to be right-to-left when displayed instead of English's left-to-right reading order. For example, a file called "HelloCyberNews" with the Unicode character added as "Hello{U+202e]CyberNews" would be displayed as "HellosweNrebyC."

According to Vade, this method was used in the nineties and early 2010s to trick users into executing malicious files, such as corrupted .exe applications, convincing them that they were opening a .txt file. Attackers were using this method to send malware across an organization.

This attack method has made a comeback and is now being used for phishing Microsoft 365 users. Vade threat analyst team detected phishing ware using RLO and scoping Microsoft 365 accounts.

Attackers have been targeting Microsoft users with voicemail notifications. The attachments seem like .mp3 extensions, in all likelihood, an audio file containing the voice message. However, it was a disguised link to a Microsoft login webpage that requests credentials to access "sensitive info."

"For this campaign, upon form submission, the page didn't redirect to another website but rather displayed that the password was incorrect. However, Vade's cyber analyst team confirms that in some cases, this type of form can redirect to a voicemail message that is readable and contains a generic message. The aim is to make users unaware of the attack they just experienced," the company said.

Users should easily detect this scam, especially when opening an .mp3 file that leads to a Microsoft login webpage.

According to the statistics, RLO spoofing increased from mid-2020 and even more so in 2021.

"Most likely attackers are taking advantage of the COVID-19 pandemic, with the expansion of remote working: End users are less protected and prepared for external threats, and many are using their endpoint security technologies at home rather than those of the company. Moreover, the voicemail context combined with RLO spoofing attachments is more convincing with the lack of interpersonal communication due to teleworking," Vade concluded.


More from CyberNews:

Zerodium cyber mercs zero in on Microsoft

The Colonial Pipeline hack affected gas prices less than we thought

Kaspersky found health wearables and devices open to attacks

Ex-footballer hails brave ‘new world’ of NFTs

Research reveals that retailers have unwarranted confidence in their cybersecurity

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked